Threat modellers should always look at threat modeling as a
4-step framework that should make sure that a system is safe. This 4-step framework
consist of four questions that developers and threat modellers need to ask
themselves
A: What are you building?
This is the first step in the 4-step framework. The threat modellers
should figure out what they are building. By default, all software development
projects consist of specifications and different types of documents. One of the
simplest ways of getting an overview is by creating visual models of the system.
By taking a look at such diagrams, the threat modellers should be able to get
an idea of how extensive the system looks.
B: What can go wrong?
According to some practitioners, it is right to suggest a
more detailed list of what can go wrong, instead of using STRIDE. STRIDE is too
high level and abstract. Once we’ve looked at different models of the system,
the threat modellers should be able to find possible attack patterns that may
be a threat against the system.
C: What are you going to
do about it or what should you do about those things that can go wrong?
This step consists of
deciding what to do with every threat. It is in this step that the developers
or the threat modellers need to make a calculated decision on which attacks to
mitigate, and which attacks are hard to execute, so obscure, or not that
damaging to the system. This step is where threats need to be addressed.
D: Did
you do it right or did you do a decent job of analysis?
After
all possible threats have been considered as not damaging, it is time to
re-evaluate the system design and implementation. Threat modeling is considered
to be an iterative process. If the validation of a system fails, then the whole
process needs to jump back to the first or the second step.
